From 814ef96624b42f324e57efe51c549fa634783912 Mon Sep 17 00:00:00 2001
From: Virgil <virgil@lethean.io>
Date: Thu, 26 Mar 2026 11:30:06 +0000
Subject: [PATCH] fix(crypt): address AX import and test review

Co-Authored-By: Virgil <virgil@lethean.io>
---
 auth/auth_test.go                   |  5 +++--
 auth/session_store_sqlite.go        |  4 ++--
 cmd/testcmd/output_test.go          | 10 +++++-----
 crypt/chachapoly/chachapoly_test.go | 18 +++++++++---------
 crypt/lthn/lthn_test.go             | 10 +++++++---
 crypt/openpgp/service_test.go       |  4 ++--
 go.mod                              |  2 +-
 go.sum                              |  4 ++--
 trust/policy_test.go                |  2 +-
 trust/trust_test.go                 |  2 +-
 10 files changed, 33 insertions(+), 28 deletions(-)

diff --git a/auth/auth_test.go b/auth/auth_test.go
index 8560892..5777a8e 100644
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@@ -621,7 +621,8 @@ func TestConcurrentSessionCreation_Good(t *testing.T) {
 	}
 }
 
-// TestSessionTokenUniqueness_Good generates 1000 tokens and verifies no collisions.
+// TestSessionTokenUniqueness_Good generates 1000 session tokens and verifies
+// no collisions without paying the full login hash-verification cost each time.
 func TestSessionTokenUniqueness_Good(t *testing.T) {
 	a, _ := newTestAuth()
 
@@ -633,7 +634,7 @@ func TestSessionTokenUniqueness_Good(t *testing.T) {
 	tokens := make(map[string]bool, n)
 
 	for i := range n {
-		session, err := a.Login(userID, "pass")
+		session, err := a.createSession(userID)
 		require.NoError(t, err)
 		require.NotNil(t, session)
 
diff --git a/auth/session_store_sqlite.go b/auth/session_store_sqlite.go
index 843ae58..4340da8 100644
--- a/auth/session_store_sqlite.go
+++ b/auth/session_store_sqlite.go
@@ -6,12 +6,12 @@ import (
 	"sync"
 	"time"
 
-	"forge.lthn.ai/core/go-store"
+	"dappco.re/go/core/store"
 )
 
 const sessionGroup = "sessions"
 
-// SQLiteSessionStore is a SessionStore backed by go-store (SQLite KV).
+// SQLiteSessionStore is a SessionStore backed by core/store (SQLite KV).
 // A mutex serialises all operations because SQLite is single-writer.
 type SQLiteSessionStore struct {
 	mu    sync.Mutex
diff --git a/cmd/testcmd/output_test.go b/cmd/testcmd/output_test.go
index c208ed0..381befd 100644
--- a/cmd/testcmd/output_test.go
+++ b/cmd/testcmd/output_test.go
@@ -6,19 +6,19 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestShortenPackageName(t *testing.T) {
+func TestShortenPackageName_Good(t *testing.T) {
 	assert.Equal(t, "pkg/foo", shortenPackageName("dappco.re/go/core/pkg/foo"))
-	assert.Equal(t, "cli-php", shortenPackageName("forge.lthn.ai/core/cli-php"))
+	assert.Equal(t, "cli-php", shortenPackageName("example.com/org/cli-php"))
 	assert.Equal(t, "bar", shortenPackageName("github.com/other/bar"))
 }
 
-func TestFormatCoverageTest(t *testing.T) {
+func TestFormatCoverage_Good(t *testing.T) {
 	assert.Contains(t, formatCoverage(85.0), "85.0%")
 	assert.Contains(t, formatCoverage(65.0), "65.0%")
 	assert.Contains(t, formatCoverage(25.0), "25.0%")
 }
 
-func TestParseTestOutput(t *testing.T) {
+func TestParseTestOutput_Good(t *testing.T) {
 	output := `ok  	dappco.re/go/core/pkg/foo	0.100s	coverage: 50.0% of statements
 FAIL	dappco.re/go/core/pkg/bar
 ?   	dappco.re/go/core/pkg/baz	[no test files]
@@ -33,7 +33,7 @@ FAIL	dappco.re/go/core/pkg/bar
 	assert.Equal(t, 50.0, results.packages[0].coverage)
 }
 
-func TestPrintCoverageSummarySafe(t *testing.T) {
+func TestPrintCoverageSummary_Good_LongPackageNames(t *testing.T) {
 	// This tests the bug fix for long package names causing negative Repeat count
 	results := testResults{
 		packages: []packageCoverage{
diff --git a/crypt/chachapoly/chachapoly_test.go b/crypt/chachapoly/chachapoly_test.go
index 1123f2c..da5b96c 100644
--- a/crypt/chachapoly/chachapoly_test.go
+++ b/crypt/chachapoly/chachapoly_test.go
@@ -15,7 +15,7 @@ func (r *mockReader) Read(p []byte) (n int, err error) {
 	return 0, errors.New("read error")
 }
 
-func TestEncryptDecrypt(t *testing.T) {
+func TestEncryptDecrypt_Good(t *testing.T) {
 	key := make([]byte, 32)
 	for i := range key {
 		key[i] = 1
@@ -31,14 +31,14 @@ func TestEncryptDecrypt(t *testing.T) {
 	assert.Equal(t, plaintext, decrypted)
 }
 
-func TestEncryptInvalidKeySize(t *testing.T) {
+func TestEncrypt_Bad_InvalidKeySize(t *testing.T) {
 	key := make([]byte, 16) // Wrong size
 	plaintext := []byte("test")
 	_, err := Encrypt(plaintext, key)
 	assert.Error(t, err)
 }
 
-func TestDecryptWithWrongKey(t *testing.T) {
+func TestDecrypt_Bad_WrongKey(t *testing.T) {
 	key1 := make([]byte, 32)
 	key2 := make([]byte, 32)
 	key2[0] = 1 // Different key
@@ -51,7 +51,7 @@ func TestDecryptWithWrongKey(t *testing.T) {
 	assert.Error(t, err) // Should fail authentication
 }
 
-func TestDecryptTamperedCiphertext(t *testing.T) {
+func TestDecrypt_Bad_TamperedCiphertext(t *testing.T) {
 	key := make([]byte, 32)
 	plaintext := []byte("secret")
 	ciphertext, err := Encrypt(plaintext, key)
@@ -64,7 +64,7 @@ func TestDecryptTamperedCiphertext(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestEncryptEmptyPlaintext(t *testing.T) {
+func TestEncrypt_Good_EmptyPlaintext(t *testing.T) {
 	key := make([]byte, 32)
 	plaintext := []byte("")
 	ciphertext, err := Encrypt(plaintext, key)
@@ -76,7 +76,7 @@ func TestEncryptEmptyPlaintext(t *testing.T) {
 	assert.Equal(t, plaintext, decrypted)
 }
 
-func TestDecryptShortCiphertext(t *testing.T) {
+func TestDecrypt_Bad_ShortCiphertext(t *testing.T) {
 	key := make([]byte, 32)
 	shortCiphertext := []byte("short")
 
@@ -85,7 +85,7 @@ func TestDecryptShortCiphertext(t *testing.T) {
 	assert.Contains(t, err.Error(), "too short")
 }
 
-func TestCiphertextDiffersFromPlaintext(t *testing.T) {
+func TestCiphertextDiffersFromPlaintext_Good(t *testing.T) {
 	key := make([]byte, 32)
 	plaintext := []byte("Hello, world!")
 	ciphertext, err := Encrypt(plaintext, key)
@@ -93,7 +93,7 @@ func TestCiphertextDiffersFromPlaintext(t *testing.T) {
 	assert.NotEqual(t, plaintext, ciphertext)
 }
 
-func TestEncryptNonceError(t *testing.T) {
+func TestEncrypt_Bad_NonceError(t *testing.T) {
 	key := make([]byte, 32)
 	plaintext := []byte("test")
 
@@ -106,7 +106,7 @@ func TestEncryptNonceError(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestDecryptInvalidKeySize(t *testing.T) {
+func TestDecrypt_Bad_InvalidKeySize(t *testing.T) {
 	key := make([]byte, 16) // Wrong size
 	ciphertext := []byte("test")
 	_, err := Decrypt(ciphertext, key)
diff --git a/crypt/lthn/lthn_test.go b/crypt/lthn/lthn_test.go
index da0d655..428c0d2 100644
--- a/crypt/lthn/lthn_test.go
+++ b/crypt/lthn/lthn_test.go
@@ -7,14 +7,18 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestHash(t *testing.T) {
+func TestHash_Good(t *testing.T) {
 	hash := Hash("hello")
 	assert.NotEmpty(t, hash)
 }
 
-func TestVerify(t *testing.T) {
+func TestVerify_Good(t *testing.T) {
 	hash := Hash("hello")
 	assert.True(t, Verify("hello", hash))
+}
+
+func TestVerify_Bad(t *testing.T) {
+	hash := Hash("hello")
 	assert.False(t, Verify("world", hash))
 }
 
@@ -50,7 +54,7 @@ func TestCreateSalt_Ugly(t *testing.T) {
 
 var testKeyMapMu sync.Mutex
 
-func TestSetKeyMap(t *testing.T) {
+func TestSetKeyMap_Good(t *testing.T) {
 	testKeyMapMu.Lock()
 	originalKeyMap := GetKeyMap()
 	t.Cleanup(func() {
diff --git a/crypt/openpgp/service_test.go b/crypt/openpgp/service_test.go
index 17d8a55..09044ff 100644
--- a/crypt/openpgp/service_test.go
+++ b/crypt/openpgp/service_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestCreateKeyPair(t *testing.T) {
+func TestCreateKeyPair_Good(t *testing.T) {
 	c := framework.New()
 	s := &Service{core: c}
 
@@ -19,7 +19,7 @@ func TestCreateKeyPair(t *testing.T) {
 	assert.Contains(t, privKey, "-----BEGIN PGP PRIVATE KEY BLOCK-----")
 }
 
-func TestEncryptDecrypt(t *testing.T) {
+func TestEncryptDecrypt_Good(t *testing.T) {
 	c := framework.New()
 	s := &Service{core: c}
 
diff --git a/go.mod b/go.mod
index b1656ce..ac2c01f 100644
--- a/go.mod
+++ b/go.mod
@@ -7,8 +7,8 @@ require (
 	dappco.re/go/core/i18n v0.2.0
 	dappco.re/go/core/io v0.2.0
 	dappco.re/go/core/log v0.1.0
+	dappco.re/go/core/store v0.2.0
 	forge.lthn.ai/core/cli v0.3.7
-	forge.lthn.ai/core/go-store v0.1.10
 	github.com/ProtonMail/go-crypto v1.4.0
 	github.com/stretchr/testify v1.11.1
 	golang.org/x/crypto v0.49.0
diff --git a/go.sum b/go.sum
index 78359db..e5bd4d3 100644
--- a/go.sum
+++ b/go.sum
@@ -6,6 +6,8 @@ dappco.re/go/core/io v0.2.0 h1:zuudgIiTsQQ5ipVt97saWdGLROovbEB/zdVyy9/l+I4=
 dappco.re/go/core/io v0.2.0/go.mod h1:1QnQV6X9LNgFKfm8SkOtR9LLaj3bDcsOIeJOOyjbL5E=
 dappco.re/go/core/log v0.1.0 h1:pa71Vq2TD2aoEUQWFKwNcaJ3GBY8HbaNGqtE688Unyc=
 dappco.re/go/core/log v0.1.0/go.mod h1:Nkqb8gsXhZAO8VLpx7B8i1iAmohhzqA20b9Zr8VUcJs=
+dappco.re/go/core/store v0.2.0 h1:MH3R9m3mdr5T3lMWi37ryvTrXzF4xLBTYBGyNZF0p3I=
+dappco.re/go/core/store v0.2.0/go.mod h1:QQGJiruayjna3nywbf0N2gcO502q/oEkPoSpBpSKbLM=
 forge.lthn.ai/core/cli v0.3.7 h1:1GrbaGg0wDGHr6+klSbbGyN/9sSbHvFbdySJznymhwg=
 forge.lthn.ai/core/cli v0.3.7/go.mod h1:DBUppJkA9P45ZFGgI2B8VXw1rAZxamHoI/KG7fRvTNs=
 forge.lthn.ai/core/go v0.3.2 h1:VB9pW6ggqBhe438cjfE2iSI5Lg+62MmRbaOFglZM+nQ=
@@ -16,8 +18,6 @@ forge.lthn.ai/core/go-inference v0.1.7 h1:9Dy6v03jX5ZRH3n5iTzlYyGtucuBIgSe+S7GWv
 forge.lthn.ai/core/go-inference v0.1.7/go.mod h1:jfWz+IJX55wAH98+ic6FEqqGB6/P31CHlg7VY7pxREw=
 forge.lthn.ai/core/go-log v0.0.4 h1:KTuCEPgFmuM8KJfnyQ8vPOU1Jg654W74h8IJvfQMfv0=
 forge.lthn.ai/core/go-log v0.0.4/go.mod h1:r14MXKOD3LF/sI8XUJQhRk/SZHBE7jAFVuCfgkXoZPw=
-forge.lthn.ai/core/go-store v0.1.10 h1:JLyf8xMR3V6PfBAW1kv6SJeHsYY93LacEBpTFW657qE=
-forge.lthn.ai/core/go-store v0.1.10/go.mod h1:VNnHh94TMD3+L+sSgvxn0GHtDKhJR8FD6JiuIuRtjuk=
 github.com/ProtonMail/go-crypto v1.4.0 h1:Zq/pbM3F5DFgJiMouxEdSVY44MVoQNEKp5d5QxIQceQ=
 github.com/ProtonMail/go-crypto v1.4.0/go.mod h1:e1OaTyu5SYVrO9gKOEhTc+5UcXtTUa+P3uLudwcgPqo=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
diff --git a/trust/policy_test.go b/trust/policy_test.go
index 2248377..c656e89 100644
--- a/trust/policy_test.go
+++ b/trust/policy_test.go
@@ -261,7 +261,7 @@ func TestEvaluate_Good_Tier3IgnoresRepoScope(t *testing.T) {
 
 // --- Default rate limits ---
 
-func TestDefaultRateLimit(t *testing.T) {
+func TestDefaultRateLimit_Good(t *testing.T) {
 	assert.Equal(t, 10, defaultRateLimit(TierUntrusted))
 	assert.Equal(t, 60, defaultRateLimit(TierVerified))
 	assert.Equal(t, 0, defaultRateLimit(TierFull))
diff --git a/trust/trust_test.go b/trust/trust_test.go
index 69a5369..e323110 100644
--- a/trust/trust_test.go
+++ b/trust/trust_test.go
@@ -169,7 +169,7 @@ func TestRegistryListSeq_Good(t *testing.T) {
 
 // --- Agent ---
 
-func TestAgentTokenExpiry(t *testing.T) {
+func TestAgentTokenExpiry_Good(t *testing.T) {
 	agent := Agent{
 		Name:           "Test",
 		Tier:           TierVerified,